Chapter 2 



1. Secure Programs 

jjLua chapterl <ji W^ u '' "^ J' irLi jAi"^ '— i '- i *l li**^ j-^ j5 jj^-^ ^1 j^-Lh ls' j£*jj 
-enforces the expected security goals 
-takes too long time to break 
-it runs for a period of time without failures 

<sul\ (j-a oj;uS *^?-j-s (jlc ^ W •> j i o^ JS trust 

2-Way to assess security or quality is to ask people to name the characteristics of Software that 
Contribute to its overall security 

■Uloi-o llAAaul liljijA Jl Qja^'inall JLjiJ jSjm liljl <Ljia -US V V J J JjSj ■ " IjA _jl ^^C-ljJ JtAjjjll jajjl (_jl jl Jj%J IjA 

V Vj faults <ja J^a*. jl jUSj usability Jlj quality J& j^-*j t->j%? p*JV j*!bi> 

(_sjl jj^olall Mlo <_5 j <pC <^.U. JiAjj ts* i ^ g^^JjJI (jJe -^jS sjSjj attacker Jl jl <-»^i j_£j Ul jV »j J£ 
■uk. Jiij ^U Jl\j jjIj Jl <»i± JL <il jL^ L^iaa FTP SERVER j_& ^^ jW^I t*^ ^ 
Jl U jjc. (> clj JJal Jiiij <cli long LIFE TIME JJ=>I JyLc-j theft t> ^li jJ-jjjII (j-**! jjlc jU£j 
jb -uas.1 ^1 jl 1j£j ?j j V . ^»iu Jl jmUjjII <_s j jmUjjII j-Uj availability Jl ^jj jl m4j j^ attacker 

L^jiL jl V > -ij JJ j <jic i^ll^J j-iSJ (jil^-a 



2-Program faults: 
JacIj o^error Jl J*lml j£-" ^ ^* Errors 5«l-JjJI J J^uo jl lilLil J^clj IgU'mt j£a* -ujIj <IsJa 4i U& 

; jjc_jj **ji o jjc Ul Jl 
Faults: 



Fault:An incorrect step, command, process or data definition in a piece of software. 

Jjiii -ULuij dlllaj Cis&jj !>llo <u*l i. utjjj 4aj| jl (_gj <*5jio jjc. ^Laj^>jll J 4 K mi « Unexpected Error Qj^j lS j 
jl dtt J«jj 4^ c 1 -" OAj j J^I t5^ u^ j-^j ° J U^ Ji^^ £«ljJ ^ ^ RUN ERROR NUMBER 523 

Failures: 

i— Jjio jl (_J jj^lhII J i^jIjUj _>°-^ ^-"tin'ill K 1 ) ■ in jjaVilt j< 4j^.jJ 4_d UJ-^ (!£-" <jt-nSj 1 MJJ -US ?wlj_>j]| 4JL Life 

iiL Jai.1 oJj -US jlfraJI 



Failure:A departure from the system's desired behaviour. 



Note that: 

SAn error may cause many faults. 

GNot every fault leads to a failure. iK />UdJI jloi ,_sJI iS^Us e-oLi>JI ^&&. 9I J^j o^ - ^> "-si l£"> 

Error:A human mistake in performing some software-related activity, such as specification or coding. 



Basic Ideas 

6A program security flawis an undesired program behavior caused by aprogram vulnerability. 

© Work on program security considers two questions: 

© How do we keep programs free from flaws? 

© How do we protect computing resources against programs with flaws? 

© Early idea was to attack the finished program to reveal faults, and then to patch the 

corresp. errors. 

© Experience shows that this is not effective, and just tends to introduce new faults (and 

errors)! 

© More modern approach is to use careful specification and compare behavior with the 

expected. 



Program security flaws 

■ O-f^SJ y°^*J c ^>b O^- "^^ qIjZOzj jj^uouo guoli^j v_Sl v9+^ 

FLAWS Jl £1^1 

1. Non-malicious flaws. Introduced by the programmer overlooking something: 

© Buffer overflow 

© Incomplete mediation 

© Time-of-check to Time-of-use (TOCTTU) errors 

cub clcI^jI ^^vic p&±/ q-ujJu programmer <\Ssi\ o->\-> *■■+*-"***> Ijjulc ^ J9I a:> 

Buffer overflow: 

A program that fails to check for buffer overflow may allow vital data or code to be overwritten: 
IgxLj Size ljOLc Control cjJLxc <*3$j>*ax> Uix» cJLcxc cujI ^jsu_ <*su L& 

ulSuoJI 09^9 fiSies^Jl jszszj lSj9jcxajoJI ^jS Cornpiler £9>«j I2J0 lpjOJS^> Cjul19 

jjoIjjs-sjJI 9I cJ>i .J.U.-..U 9J qi^-..LLoJI Mio <\ ^J\* User -Buffer oil* eo 



ojjlc ^isu. Overflow cJLxc. <ujI cul» La cux+9 L^J J>:> arr[10] J>:> 
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_AjI (J Ifrla L_sLi.l jl (_^J (_jj «Laia. AjI ^aAj jl jjU (j^a-a '.'_;'- 



Buffer may overflow into (and change): 

© User's own data structures UIjJI ^ >^ o^° 

© User's program code ojjo-xjs cujuloj dcbj £u>l>JI ^ 

© System data structures cu^ ^o^ulhuJI JJ UIjJI g.l5L.Ja.oJI cloj La IIILa 

© System program code Jl c*£b qjoLJI oLo^s 

L^ja ^j^auJI jl jjsjc Ua.1 U cjj dSLi^VI (ji Jl return address Jc overflow J«j l£~> ^ j^VIj 

buffer Jlj lSjj-s- 4 ^ J^ -i-"*- uj-^w ^V jjViW.Vji.aj ,»=».jjj <jjU1Ij Jvii oj-o jt^Ujj Jiuiu jU^VI (j^ 3 *^ J u^-°^j 
overflows 



Buffer overflow (2) 

• Space for declared variables is in many languages 
allocated on the stack, together with return 
addresses. 

• This means that overflow of a buffer can overwrite 
the return address: 


stack 




Local 
buffer 




AMAAAM 
AAAAAAAA 




Old base pointer 


AAAAAAAA 


Return address 


0XBFFFF74 


Arguments 


Arguments 















Buffer overflow in ASP 

-loop (response. redirect();) 

-scripting (internet explorer not allow Java script) 



-phone number 



Incomplete mediation 

4iui / (.jj/ j$£ *UlJui UUI1 jl£ j2 uJa UlilS £jjj Ua Y . . ^/> Y/> ^J AAjjlaib jjjUIl ljjSI U2 tf j 
^LLa IjL a xlJ 4.^.1 jaj J&jj jJjjI^ ".■> -" ""« tilJt design i* 2 ^* Ja^li »jjj^ ^K-«i <il^j& j.^-*j* 
^lt jUijj Al-illj jjjUUtj CompoBox jt pj^t ^dropdown list 



Incomplete mediation 

• Failure to perform "sanity checks" on data can lead 
to random or carefully planned flaws. 

• Examples: 

O Impossible dates in correct format (say yyyyMMMdd): 
1800Feb30, 2048M!n32 

What happens when these dates are looked up in tables in 

the program? 
O Alterable parameter fields in URL: 

http : //www. things . com/order/f inal&custID=101 
&part=555A&qy=2 0&price=10&ship=boat&total=2 05 



[ 



Web site adds parameters incrementally as transaction 
proceeds. User can change them inconsistently. 



Time-of-check to Time-of-use (TOCTTU) 



A delay between checking permission to perform certain 
operations and using this permission may enable the operations 
to be changed. 

time u' "-^iSj ^jj^j W- 3 ^j^j j^ ^JLuil ' ' 'Uj <-^->j^ <_J^"^ ^ ^ ^ ATM y ** ^ s^_^.j-a 

Cjjl£ilj jj_^ooU]l CiLkj LJ ^»j (j£-o<a ^5^ j^ sj i « ; L j I2WI ^jic tjlla \; j^L ^jUic. of check 

Aa. Ljj (jiixjj 4i (jiijj ^gJxJ *X±a !/CLa lilc-LaJ ^5^- ^JJ-^J -^ (j^-*-* cyj^ 3 ^-i3jJ ^J^"" A lillaau .1*3 j 



4jjjIi (^gji-a^jj (Jjlj ^.. ' ls^ y&A 



Example: 

1. User attempts to write 100 bytes at end of file "abc". 
Description of operation is stored in a data structure. 

2. OS checks user's permissions on copy of data structure. 

3. While user's permissions are being checked, user changes data 
structure to describe operation to delete file "xyz". 



FLAWS J\ ijjq <tiu ^joUl ££jJU ^jojio 

AiniJI ^Ij^lMalicious CODE 



Malicious code 



Virus: Attaches itself to program or data, passing malicious 
code on to non-malicious programs by modifying them. 
Trojan horse: Has non-obvious malicious effect in addition to 
its obvious primary effect. 

Logic/time bomb: Has malicious effect when triggered by 
certain condition. 

Trapdoor/backdoor: Gives intruder (possibly privileged) 
access to computer. 

Worm: Stand-alone program which spreads copies of itself via 
a network. 

Rabbit: Reproduces itself continually to exhaust resources.! 
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AJajjoUj A n^-> (J j 1*1^ 4-C^aa a ^3 AAjazla 1$jV l ■ luSit qa \jfi£ JjJaSl qua 41$ uj (J^j 



t_ijlj IjfLiauj liii*j Virus plj^ ^i ^?.;'' 
1-Document Virus 

Attached to( NOTE BADE ,Office Word, Image) JtjkySi* ^v ^ji^l eo l*Ja 
Virus Code: Executable Code Attached To the Program 



2- Virus Appended To a program 

4iV (jl^ el*-a (J».*iuijft (jjojjall Jjjja (j& eXeCUtiOfl ^-Jj-WL-a £cx\j^>i]! (jj^J 4AJ Ua 

original c> j j ^ Sj^j Jj^%* control J^ C5^^ ^^J^ 1 J c - il - iia * J -£ c*^£ 

execution cW^ u^j<^ calling J^^cs^W^ virus J program 

jj£J! Jjl J JLjj ajV a±£&i j\ 4£oou>j 4jI anti-virus J J° <J**« lW W^ <-&% 

C5^ l^j^ 1 c> s j^ £)jfl t^ execution Jlj calling J**. Uile. j ^UjjII gtij 

J*?* jl ^LouLj UjL JjL J& l§ij*j l^ijAj UJ anti-virus J^ AijJU jl 4ijj*-* 

<_jt&JI J <^u*ijll (j-jjill Jl J*-aVI 2^-jjil! (>control Jl J^ Jl ^ execution 

3-serrounded virus 

^i^AiA (JU JLSlI j <jja JjVI & jaJI <_sj4ia anti-virus 

4-Modified Program Virus (integrated Virus ) 

php <jj interpreter Qj^ u^ U^ ^ <^»-^^^ Jj«jI c^ ^ «^jj ^^ t> 

^oalj^lll A-a ^oa-iLa (jj \fo s «^ U^3^ J -1^1 j ^3^ jj^J a (_>** U^J^' '^4 ^^ .J ".' J"'" 
a jjj£ (Jjj>^alij J Jj^J (jj-^ (J^J^^ J^-"l J rT-*^^)^ ^J^ Jajui J^J (j^-*-« C5^*^ ^"^ 



anti-virus jl ^ ^-^jJI lUAj <jI ^j cK VI 0.1J& jjl* j** anti-virus ^ W^ 
^Sl\ AVAST c5 j 4jj^ c^F 

ajI oj>>ij» jl V Vj system Jl j>>»j» oj <J& ljjujjjj aj! Aviro cs j ^j^<^ \* \U 

j! o Ia^jj freezing ^axul 4-^.La. 4-1**^ aj! (JaJli a L *n 

How Virus Gain Control? 

Jl La ^ A^LaJlj pointer Jl ^-ajuil A^La> l_aj*j *jV ^Kjj UJ <Jja 
*j£ UNSAFE J& J*^ ^W* l$jj*^\ lJ^J&J^ J 1 ^ J^ 

^jju^Jjutil J aj^j^all JJQ ujJ J U^.1 La (_£ j 

control Jl ^^ l>>j^ J' execution Jl lW J litfe. £>> Jjl 
1-overwriting 

£ ) -Y AajL^a ujt&ll J Jl <UuJl J (j-aj JjVI Aajjlall Ua 

I^ajujI <2kl^> Aja (jLa£j l^j ^j£JI Aja directory File ^^c- a^.1^ JjI 
^ ^ target file J J^l? ^ C5^ j%j^' ^ target File 
virus <Jc jjIAijj virus 4j1 J^ a L>% c^£ ^ ^ fi J^ o^jj^ 

2-changing Pointer 

^ target file J^- ^jj$ u^jj^\ j%#M Ua ^1 aL -ujUII aIjjLSI 
GOTO aa: lsJ jump lW^^j^ 1 



^ aL^A\ ^b target file JMjSj ^ Ufc ^j^l ^ UU^I J! 
^ o* jj$ L -*^ ^j virus Jl target file Jl t> Jjaax ^ jSj 
pointer ^j^ 

^ O ' ^j j ls^ jump jcalling J lW c^X 4-jI anti-virus ^ lM 

^ojlj^)ij| p-laj ^j^jI (J)\^ (jc <ailk>j ^^)C. l>a^. 4j2 "."; tg_l£ (jjia t*_iL 

shutdown <-**! jump ^ ^^ j^j ^^ij ^Ujj ^j C5 1^»V1 
o»j^ ^ ^j*^ c^? execution J lW u^j ^^? f^l l^ 



boot sector Virus W^' ^^ &** ^ j^ l?^ 

<o o±n\ Ua lU lAA* °j^ J^ iAA* J^virus C5^ U^ ^ ^ 

boot W^ ^^ ^L-aSj os lj* (J\ firmware J jij ^j^ 

protected highly uj^ 1 a -> sector 

connected with ur pc oj£# 

. <j\j l^j^ ^w> 

boot sector ^ jfejx ^^ jj%^ ^JW> J^ Ul ^jjUI 

<j< Jj%j code U^ jj^ 1 lSJJ*^ U^ LSjJ^t J' lS^j ^jjUI 

pointer J^ o»jj$\ ^ lj* <J\ ^^ ^j 1 ^ J^ i> OS lj*j 



Alj^ajJ J^l§ (JjIxj AiV Aj^jui (j£ JJjuj jj 

Memory -Resident Virus aI ^lill 

Aaj lixli ?tj^a ^clflJ Lai JJj£ d l3j .iklaj £t-«l^)J A_ia Ail UjliJ Aaj li& 

-11L l^jNetCUT yahoo lsj start UP lU*^ os 1*1 ^ y^j 

4 K *ill aL Ua 

resident code in ^->VI c> c^ LSjj^t c^ ^j* ^ W 
lU*^? ajIc a£sl ^ jj£jI desktop J^ ^^- uj%* memory 
aJ <o £*Ujj]| jl 4 K*i*l l aIi U$i ^jjxllJI ^ Jl ^jillcalling 
^4* f jSj anti-virus Jl C5^ ^ J^ f j% ^>^ ^ Jjl J^A^ ^jjs 



virus signature lk? c^? W^ 

J^ W* f^ l£ ^ijf" *LiaJ j\ jjl A^ jjllJ (j-jjall j' W* 



*Ullj <— uj Lj J^*J jl ^jjj j^-C- ^ (j\ jl <_£^ ^^Ic A-a^i LI ^1 *Ollj fi>i 
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